Walter Reynolds wrote:
I am running Freeradius 2.2.4 and am not quite sure where to go with this. I have read the documentation, but my need does not quite match.
The documentation describes common setups, and generally how to solve problems. It doesn't describe unusual setups. Yours seems unusual.
We have the standard EAP-PEAP setup where users are authenticated against AD via ntlm-auth. What I need to do is add an authorization check to determine if a users should get a specific VLAN attribute sent back or be placed in a default VLAN (This is so we can only allow access to library resources to those that should be allowed).
That's easy. Write an LDAP query which returns whether or not the user should get that VLAN, and then use it to set the VLAN: if ("%{ldap:query....}") { update reply [ ... vlan info... } } The hard part is writing the LDAP query.
Now, if I had a LDAP group that contained these I could use a simple group setup listed in the http://wiki.freeradius.org/modules/Rlm_ldap page. My problem is, the attribute that contains the data about the affiliation is a multi valued attribute
Which is unusual, and isn't generally recommended. Because it's awkward and hard to deal with.
Another path of thought was to specify a filter in the LDAP module config to something like this.
filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(|(umichinstroles=*AffiliateAA)(umichinstroles=*FacultyAA)(umichinstroles=*StudentAA)(umichinstroles=*StaffAA)))"
So that works as far as only responding if a user matches one of those,
Which is good.
but then how would I apply a VLAN for them and leave everyone else in a default VLAN?
See the debug output. The LDAP module will return "ok" when a result is found, or "notfound" when a result isn't found. You can then do: ldap if (ok) { ... vlan for matching people } else { ... default vlan } Alan DeKok.